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ABSTRACT 


This  paper  explores  a technique  for  proving  the  correctness  and  termination  of  programs 
simultaneously.  This  approach,  which  we  call  the  intermittent-assertion  method,  involves 
documenting  the  program  with  assertions  that  must  be  true  at  some  time  when  control  passes 
through  the  corresponding  point,  but  that  need  not  be  true  every  time.  The  method,  introduced 
by  Burstall,  promises  to  provide  a valuable  complement  to  the  more  conventional  methods. 

We  first  introduce  the  intermittent-assertion  method  with  a number  of  examples  of  correctness 
and  termination  proofs.  Some  of  these  proofs  are  markedly  simpler  than  their  convetional 
counterparts.  On  the  other  hand,  we  show  that  a proof  of  correctness  or  termination  by  any  of 
the  conventional  techniques  can  be  rephrased  directly  as  a proof  using  intermittent  assertions. 
Finally,  we  show  how  the  intermittent  assertion  method  can  be  applied  to  prove  the  validity  of 
program  transformations  and  the  correctness  of  continuously  operating  programs. 

This  is  a revised  and  simplified  version  of  a previous  paper  with  the  same  title  (AIM-281,  June 
1976) 
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I.  Introduction 

The  most  prevalent  approach  to  prove  that  a program  satisfies  a given  property  has  been  the 
invariant-assertion  method,  made  known  largely  through  the  work  of  Floyd  [1967]  and  Hoare 
[1969].  In  this  method,  the  program  being  studied  is  supplied  with  formal  documentation  in 
the  form  of  comments,  called  invariant  assertions,  which  express  relationships  between  the 
different  variables  manipulated  by  the  program.  Such  an  Invariant  assertion  is  attached  to  a 
given  point  in  the  program  with  the  understanding  that  the  assertion  is  to  hold  every  time 
control  passes  through  the  point. 

Assuming  that  an  appropriate  invariant  assertion,  called  the  input  specification,  holds  at  the 
start  of  the  program,  the  method  allows  us  to  prove  that  the  other  invariant  assertions  hold  at 
the  corresponding  points  in  the  program.  In  particular,  we  can  prove  that  the  output 
specification,  the  assertion  associated  with  the  program’s  exit,  will  hold  whenever  control 
reaches  the  exit.  If  this  output  specification  reflects  what  the  program  is  intended  to  achieve, 
we  have  succeeded  in  proving  the  correctness  of  the  program. 

It  is  in  fact  possible  to  prove  that  an  invariant  assertion  holds  at  some  point  even  though 
control  never  reaches  that  point,  since  then  the  assertion  holds  vacuously  every  time  control 
passes  through  the  point  in  question.  In  particular,  using  the  Invariant-assertion  method,  one 
might  prove  that  an  output  specification  holds  at  the  exit  even  though  control  never  reaches 
that  exit.  If  we  manage  to  prove  that  a program’s  output  specification  holds,  but  neglect  to  show 
that  the  program  terminates,  we  are  said  to  have  proved  the  program’s  partial  correctness. 

A separate  proof,  by  a different  method,  is  required  to  prove  that  the  program  does  terminate. 
Typically,  a termination  proof  is  conducted  by  choosing  a well-founded  set,  one  whose  elements 
are  ordered  In  such  a way  that  no  infinite  decreasing  sequences  of  elements  exist.  (The 
nonnegative  integers  under  the  regular  greater-than  ordering,  for  example,  constitute  a 
well-founded  set.)  For  some  designated  label  within  each  loop  of  the  program  an  expression 
Involving  the  variables  of  the  program  is  then  selected  whose  value  always  belongs  to  the 
well-founded  set.  These  expressions  must  be  chosen  so  that  each  time  control  passes  from  one 
designated  loop  label  to  the  next,  the  value  of  the  expression  corresponding  to  the  second  label 
is  smaller  than  the  value  of  the  expression  corresponding  to  the  first  label.  Here,  ’’smaller" 
means  with  respect  to  the  well-founded  ordering,  the  ordering  of  the  chosen  well-founded  set. 
This  establishes  termination  of  the  program,  because  if  there  were  an  infinite  computation  of 
the  program,  control  would  traverse  an  infinite  sequence  of  designated  loop  labels;  the 
successive  values  of  the  corresponding  expressions  would  constitute  an  infinite  decreasing 
sequence  of  elements  of  the  well-founded  set,  thereby  contradicting  the  defining  property  of  the 
set.  This  well-founded  ordering  method  constitutes  the  conventional  way  of  proving  the 
termination  of  a program  (Floyd  [1967]). 


2 


Manna  & Waldingar 


If  a program  both  terminates  and  satisfies  its  output  specification,  that  program  is  said  to  be 
totally  correct. 

Burstall  [1974]  introduced  a method  whereby  the  total  correctness  of  a program  can  be  shown 
in  a single  proof.  The  approach  had  been  applied  to  specific  programs  earlier,  by  Knuth 
([1968]  Section  2.3.1)  and  others.  This  technique  again  involves  affixing  comments  to  points  in 
the  program  but  with  the  intention  that  sometime  control  will  pass  through  the  point  and 
satisfy  the  attached  assertion.  Consequently,  control  may  pass  through  a point  many  times 
without  satisfying  the  assertion,  but  control  must  pass  through  the  point  at  least  once  with  the 
assertion  satisfied;  therefore  we  call  these  comments  intermittent  assertions.  If  we  prove  the 
output  specification  as  an  intermittent  assertion  at  the  program’s  exit,  we  have  simultaneously 
shown  that  the  program  must  halt  and  satisfy  the  specification.  This  establishes  the  program’s 
total  correctness.  Since  the  conventional  approach  requires  two  separate  proofs  to  establish  total 
correctness,  the  intermittent- assertion  method  invites  further  attention. 

We  will  use  the  phrase 

sometime  Q at  L 

to  denote  that  Q is  an  intermittent  assertion  at  label  L,  i.e.  that  sometime  control  will  pass 
through  L with  assertion  Q satisfied.  (Similarly,  we  could  use  the  phrase  "always  Q at  L"  to 
indicate  that  Q is  an  invariant  assertion  at  L.)  If  the  entrance  of  a program  is  labelled  start  and 
its  exit  is  labelled  finish,  we  can  express  its  total  correctness  with  respect  to  an  input 
specification  P and  an  output  specification  R by 

Theorem:  if  sometime  P at  start 

then  sometime  R at  finish. 

This  theorem  entails  the  termination  as  well  as  the  partial  correctness  of  the  program,  because  it 
implies  that  control  must  eventually  reach  the  program’s  exit,  and  satisfy  the  desired  output 
specification. 

If  we  are  only  interested  in  whether  the  program  terminates,  but  don’t  care  if  it  satisfies  any 
particular  output  specification,  we  can  try  to  prove 

Theorem:  if  sometime  P at  start 

then  sometime  at  finish. 

The  conclusion  "sometime  it  finish"  expresses  that  control  must  eventually  reach  the  program’s 
exit,  but  does  not  require  that  any  relation  be  satisfied.  (It  could  have  been  written  as 
"sometime  true  at  finish",  because  the  assertion  true  always  holds.) 
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Generally,  to  prove  the  total  correctness  or  termination  theorem  for  a program,  we  must  affix 
intermittent  assertions  to  some  of  the  program’s  internal  points,  and  supply  lemmas  to  relate 
these  assertions.  The  proofs  of  the  lemmas  often  involve  complete  induction  over  a well-founded 
ordering  (see  Manna  [1974]).  In  proving  such  a lemma  we  assume  that  the  lemma  holds  for  all 
elements  of  the  well-founded  set  smaller  (in  the  ordering)  than  a given  element,  and  show  that 
the  lemma  then  holds  for  the  given  element  as  well. 

The  intermittent-assertion  method  has  begun  to  attract  a good  deal  of  attention.  Different 
approaches  to  its  formalization  have  been  attempted,  using  predicate  calculus  (Schwarz  [1976]), 
Hoare-style  axiomatization  (Wang  [1976]),  modal  logic  (Pratt  [1976]),  and  the  Lucid  formalism 
(Ashcroft  [1976]).  Topor  [1977]  applied  the  method  to  proving  the  correctness  of  the 
Schorr-Waite  algorithm,  a complicated  garbage-collecting  scheme. 

In  this  paper,  we  first  present  and  illustrate  the  intermittent-assertion  method  with  a variety  of 
examples  for  proving  correctness  and  termination.  Some  of  these  proofs  are  markedly  simpler 
than  their  conventional  counterparts.  On  the  other  hand,  we  prove  that  the 
intermittent-assertion  method  is  at  least  as  powerful  as  the  conventional  invariant-assertion 
method  and  the  well-founded  ordering  method,  in  addition  to  the  more  recent 
subgoal-assertion  method  (Manna  [1971],  Morris  and  Wcgbreit  [1976])  for  proving  partial 
correctness.  Finally,  we  show  that  the  intermittent-assertion  method  can  also  be  applied  to 
establish  the  validity  of  program  transformations,  and  to  prove  the  correctness  of  continuously 
operating  programs,  programs  that  are  intended  never  to  terminate. 
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II.  The  Intermittent-Assertion  Method:  Examples 

Rather  than  present  a formal  definition  of  the  intermittent-assertion  method,  we  prefer  to 
illuminate  it  by  means  of  a sequence  of  examples.  Each  example  has  been  selected  to  illustrate 
a different  aspect  of  the  method. 

1.  Counting  the  tips  of  a tree 

Let  us  consider  a simple  program  as  a vehicle  for  demonstrating  the  basic  technique.  This  is 
an  algorithm  to  count  the  tips  of  a binary  tree,  those  nodes  that  have  no  descendents.  A 
recursive  definition  of  a function  tips{tree)  that  counts  the  tips  of  a binary  tree  tree  is 

tipsUree)  <-  if  tree  is  a tip 
then  1 

else  tips(left{tree))  + tips(right{tree)), 

where  Uft{tree)  and  right{tree)  are  the  left  and  right  subtrees  of  tree  respectively. 

An  iterative  program  to  count  the  tins  of  a binary  tree  tree  is 

inputftree) 
ifarf;  stack  *-  (tree) 
count  *-  0 
more:  If  stack  « ( ) 

then  finish:  output(counO 
else  If  head(stack)  is  a tip 
then  count «-  count  + 1 
stack  *-  taiKstack) 
goto  more 

else  first  *-  head(stack) 

stack  f-  leftifirst)  ■ [rightifirst)  • tail(stack)] 
goto  more. 

(This  program  is  similar  to  one  used  by  Burstall  in  his  [197t]  paper.)  We  have  used  the 
I notation  ()  to  denote  the  empty  list,  (x)  to  denote  the  list  whose  sole  element  is  x,  and  x-l  to 

denote  the  list  formed  by  adding  the  element  x at  the  beginning  of  the  list  /.  [Note  that  (x)  is 
the  same  as  x.().]  If  the  list  I is  not  empty,  then  head(l)  is  its  first  element  and  tait(l)  is  the  list 
of  Its  remaining  elements.  The  indentation  of  the  program  indicates  that  if  headistack)  is  a tip, 
t all  three  instructions  following  then  are  to  be  executed;  otherwise,  all  three  instructions 

following  else  are  to  be  executed. 
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This  program  initially  Inserts  the  given  tree  as  the  single  element  of  the  stack.  At  each 
iteration,  the  first  element  is  removed  from  the  stack.  If  it  is  a tip.  the  element  is  counted, 
otherwise,  its  left  and  right  subtrees  are  inserted  as  the  first  and  second  elements  of  the  stack 
The  process  terminates  when  the  stack  is  empty;  count  is  then  the  number  of  tips  in  the  given 
tree. 

Using  intermittent  assertions,  we  can  express  the  total  correctness  of  this  program  by  the 
following  theorem 

Theorem:  if  sometime  tree  - t at  start 

then  sometime  count  = tips{t)  at  finish. 

This  theorem  states  the  termination  of  the  program  in  addition  to  its  partial  correctness, 
because  it  implies  that  control  must  eventually  reach  the  program’s  exit,  and  satisfy  the 
appropriate  output  specification. 

In  order  to  apply  the  intermittent-assertion  method,  we  supply  a lemma  to  describe  the 
behavior  of  the  program’s  loop.  In  this  case  correctness  of  the  program  depends  on  the 
following  property;  if  we  enter  the  loop  with  some  element  t at  the  head  of  the  stack,  then* 
eventually  the  tips  of  t will  be  counted  and  t will  be  removed  from  the  stack.  (Note  that  we  may 
need  to  return  to  more  many  times  before  the  tips  of  t are  counted.)  This  property  is  expressed 
more  precisely  by  the  following  lemma; 

Lemma:  if  sometime  count  ■ c and  stack  • J at  more 

then  sometime  count  - c + tips{t)  and  stack  « r at  more. 

The  hypothesis  count  - c in  the  antecedent  allows  us  to  refer  to  the  original  value  of  count  in 
the  consequent,  even  though  the  value  may  have  changed  subsequently. 

It  is  not  difficult  to  see  that  this  lemma  implies  the  theorem.  Suppose 

sometime  tree  « t at  start. 

Then,  following  the  computation  specified  by  the  program,  we  set  stack  to  (f),  count  to  0,  and 
' reach  more,  so  that 

sometime  count  - 0 and  stack  • (t)  - t-0  at  more. 

I The  lemma  then  tells  us,  taking  c to  be  0 and  s to  be  (),  that 

sometime  count  - 0 + tips{t)  and  stack  - ()  at  more. 
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Because  we  are  at  more  with  stack^^O,  the  computation  proceeds  to  finish,  so  that 
sometime  count  - UpsU)  At  finish, 
and  the  theorem  is  thereby  established. 

The  proof  of  the  lemma  is  by  complete  induction  on  the  structure  of  t.  In  other  words,  we 
suppose  the  antecedent  of  the  lemma,  that 

sometime  count  - c and  stack  = t*j  at  more, 

and  we  assume  inductively  that  the  lemma  holds  whenever  count  « c'  and  stack  « t'-s',  where  t' 
is  any  subtree  of  t.  We  will  then  show  the  consequent  of  the  lemma,  that 

sometime  count  = c + tips(t)  and  stack  = j at  more. 

The  proof  distinguishes  between  two  cases,  depending  on  whether  or  not  t is  a tip. 

Case  t Is  a tip:  Then  tips{t)  = 1 by  the  recursive  definition  of  tips.  Since  stack  - t>s,  it  is 
clearly  not  empty,  but  its  head,  t,  is  a tip.  The  program  therefore  increases  count  by  1 and 
removes  t from  the  stack.  Thus, 

sometime  count  - c + 1 - c + tips{t)  and  stack  - j at  more, 

establishing  the  conclusion  of  the  lemma  in  this  case. 

Case  f Is  not  a tip.  Then  tips{t)  •=  tips(left{t))  + tips(right{t)),  by  the  recursive  definition  of 
tips.  Since  t is  not  a tip,  we  pa<s  around  the  else  branch  of  the  loop  this  time;  we  remove  t 
from  the  stack,  break  it  down  into  its  left  and  right  subtrees,  replace  these  on  the  stack  as  its 
first  and  second  elements,  and  return  to  more.  Thus, 

sometime  count  - c and  stack  ■ left{t)-[right{t)-  s]  at  more 

We  can  then  apply  the  induction  hypothesis  [taking  c'  to  be  c,  t'  to  be  left{t)  and  s'  to  be 
right{t)-s],  since  left(t)  is  a subtree  of  t.  The  induction  hypothesis  tells  us  that 

sometime  count  « c + tips[left{t))  and  stack  - right{t)-s  at  more. 

Since  rightU)  is  also  a subtree  of  f.  we  can  apply  the  induction  hypothesis  again  [taking  c'  to  be 
c-rtips{left{t)),  t'  to  be  rightist)  and  s'  to  be  i],  yielding 

sometime  count  - c + tips(left(0)  + tips(rightU))  and  stack  - s at  more. 
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In  other  words,  since  tips(t)  ■ tips(Uft{t))  + tip${right{t)), 

sometime  count  ■ c + tipsU)  and  stack  - J at  more. 

This  is  the  desired  conclusion  of  the  lemma. 

Note  that  once  the  lemma  was  formulated  and  the  basis  for  the  induction  decided,  the  proofs 
proceeded  in  a fairly  mechanical  manner.  On  the  other  hand,  choosing  the  lemma  and  the 
basis  for  induction  required  some  ingenuity. 

The  proof  of  the  lemma  called  upon  the  full  power  of  the  intermittent-assertion  method 
Although  the  recursive  program  that  defines  the  tips  function  can  count  the  tips  of  a subtree 
with  a single  recursive  call,  the  iterative  program  may  require  many  traversals  of  the  loop 
before  the  tips  of  a subtree  are  counted.  The  intermittent-assertion  method  allows  us  to  relate 
the  point  at  which  we  are  about  to  count  the  tips  of  a subtree  t with  the  point  at  which  we 
have  completed  the  counting,  and  to  consider  the  many  executions  of  the  body  of  the  loop 
between  these  points  as  a single  unit,  which  corresponds  naturally  to  a single  recursive  call  of 
tipsU). 

The  conventional  invariant-assertion  method,  on  the  other  hand,  requires  that  we  identify  a 
condition  that  allows  us  to  relate  the  situation  before  and  after  each  single  execution  of  the 
body  of  the  loop.  There  may  be  no  natural  connection  between  these  two  points;  consequently 
our  invariant-assertion  must  be  exceptionally  complete.  In  this  case,  such  an  assertion  is 

tips(tree)  - count  tipsis)  at  more, 

where  Z tipsis)  is  the  sum  of  the  tips  of  all  the  elements  of  the  stack  (cf.  London 
s « stack 

[1975]).  Once  we  know  this  assertion,  the  invariant-assertion  proof  is  also  straightforward. 
However,  to  formulate  the  above  assertion  we  are  required  to  relate  all  the  elements  of  the 
stack,  while  to  understand  the  program  or  to  produce  the  intermittent-as.sertion  proof  we  only 
needed  to  consider  the  first  element  of  the  stack. 

The  intermittent-assertion  proof  established  termination  at  the  same  time  as  correctness;  to 
prove  termination  by  the  conventional  well-founded  ordering  approach,  we  can  show  that  the 
value  of  the  pair 

( tipsUree)  - count  tips{head(stack)) ) 

always  decreases  in  the  lexicographic  ordering  each  time  we  return  to  more.  In  other  words, 
either  the  first  component  tips(tree)  - count  is  reduced,  or  the  first  component  remains  fixed 
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and  the  second  component  tips(head{stack))  is  reduced.  Both  components  remain  nonnegative 
at  all  times.  Although  finding  the  above  pair  requires  a bit  of  ingenuity,  this  termination  proof 
is  relatively  straightforward.  In  the  next  section  we  will  see  a program  for  which  the  simplest 
known  conventional  termination  proof  is  significantly  more  complicated  than  the 
intermittent-assertion  proof  of  total  correctness. 


2.  The  Ackermann  Function 

The  Ackermann  function,  denoted  by  A(sr  y),  is  defined  recursively  for  nonnegative  Integers  x 
and  y as 


A(x  y)  <•  If  X - 0 
then  y+1 
else  if  y = 0 

then  A(x-1  1) 
else  A(x-1  A(xy-l)). 

For  example.  A(1  1)  « A(0  A(l  0))  = A(0  A(0  1))  •=  A(0.2)  = 3. 

This  function  is  of  theoretical  interest,  in  part  because  its  value  grows  extremely  quickly;  for 
instance. 


2* 

A (4  4)  - 2^^  -3 

An  Iterative  program  to  compute  the  same  function  is 
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lnput(*o  yo) 

start:  irac*[l]  jcq 
stackl2'i  *-  yo 
index  <-  2 
more:  If  index  » 1 

then  finish:  output(jfacA[l]) 
else  If  jrocfe[tnrfex-l]  » 0 

then  stackUndex- \]  *-  stack[index\r\ 
index  «-  index- 1 
goto  more 

else  if  StackUndex]  - 0 

then  StackUndex- 1]  *-  stack[index-l]-\ 

StackUndex] «-  1 
goto  more 

else  stackUndex+1] «-  stackUndex]- 1 
StackUndex] «-  stackUndex- 1] 

StackUndex- 1]  *-  stackUndex- 1]- 1 
index  *-  index+ 1 
goto  more. 

This  iterative  program  represents  a direct  translation  of  the  recursive  definition.  If  at  some 
stage  the  recursive  program  is  computing 

A(jo  A(i,  ...  A(r,_|  Si)...)) , 

then  at  the  corresponding  stage  of  the  iterative  computation 
stack  • (sq  s,  ...  Jj_i  Jj)  and  index  «=  i. 

Using  Intermittent  assertions,  we  can  express  the  program’s  total  correctness  by  the 

Theorem:  if  sometime  Xo,yo  > 0 at  start 

then  sometime  stack[\]  « A(xq  y^)  n finish. 

In  proving  this  theorem  we  will  employ  the  following  lemma, 

Lemma:  if  sometime  jnrfex  t 2 2,  JtacfeU :i-2]  - J, 

stack[i-\]  - a and  jtaclfeti]  - 6 at  more, 
then  sometime  index  - :-l,  itacil:[l;i-2]  - s 

and  itacit[t-l]  - A(a  b)  at  more. 


km 


10 


Manna  & Waidinger 


i 

I 


f 

r 


I 


Here,  s represents  a tuple  of  stack  elements.  The  abbreviation  jfock[l  ; f-2]  - J will  be  used  to 
denote  that  j equals  the  tuple  of  elements  (it<zck[l]  ifacfe[2]  ...  Jtock[i-2]);  this  expression  is 
included  in  the  hypothesis  and  the  conclusion  of  the  lemma  to  convey  that  the  initial  segment 
of  the  array,  the  first  t-2  elements,  are  unchanged  when  we  return  to  more. 

It  is  straightforward  to  see  that  the  lemma  implies  the  theorem.  For  index  is  2,  stacklt]  is  xq, 
and  jfac*[2]  is  y©  time  we  reach  more.  Then  the  lemma  implies  that  eventually  we  will 

reach  more  again,  with  index-l  and  stack[\]  « Mxoyo^  Since  Index  ■ 1 we  then  pass  lo  finish 
with  the  desired  output. 

To  prove  the  lemma  let  us  suppose 

sometime  index  - i,  i >2,  Jtacfe[l;t-2]  = s, 

jfack[i-l]  = 0 and  stackii]  = 6 at  more. 

Our  proof  will  be  by  induction  on  the  pair  (stackUndex- 1]  stackUndex])  under  the 
lexicographic  ordering  over  the  nonnegative  integers;  in  other  words,  we  will  assume  the  lemma 
holds  whenever  jfack[inrfex-l]  = a'  and  stackUndex]  ■=  b',  where  a'  and  b'  are  any  nonnegative 
integers  such  that  a’  < a,  or  such  that  a'  a and  b'  < b,  and  show  that  it  then  holds  when 
slackUndex-D’^a  and  stack[index]=b,  i.e. 

sometime  in<fex=i-l,  stack[\  : i-2]=r,  and 
rtackfi- l]=A(a  b)  at  more. 

The  proof  distinguishes  between  three  cases,  corresponding  to  the  conditional  tests  in  the 
recursive  definition  of  the  Ackermann  function. 

Case  a « 0:  Then  A(a  6)  = 6+1  by  the  recursive  definition  of  the  Ackermann  function.  But 
since  index  » and  stackUndex- 1] a = 0,  we  return  to  more  with  index  ~ i-\  and 
stack[i-\]  - fc+1,  satisfying  the  conclusion  of  the  lemma. 

Case  a > 0,  6-0:  Here,  A(a  6)  - A(a-1  1)  by  the  definition  of  the  Ackermann  function. 
Because  index*  I.  siack[index-\]  = a * 0 and  stackUndex]  - b ~ 0,  we  return  to  more  with 
index  « i,  srack[i-l]  - o-l,  and  stackii]  = 1-  Since  irack[t-l]  « a-1  < a,  we  have 

(slackU-i]  stackii])  » (a-1  1)  < (a  0), 

and,  therefore,  the  inductive  hypothesis  can  be  applied  [taking  a'  to  be  o-l  and  6'  to  be  1],  to 
yield  that 

sometime  index  - i-1,  Jtack[l;i-2]  - s and 
stackU-\]  ' A(o-l  1)  at  more. 

1) 
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Because  A(a  b)  » A(a-l  1),  the  lemma  is  established  in  this  case. 

Case  a > 0,  6 > 0:  Then  A(a  6)»A(a-l  A(a  6-1)),  by  the  recursive  definition.  Since 
index  et  I,  sradUfndex-l)  - a k 0,  and  siacklindex']  - 6 k 0,  we  return  to  more  with 

index  - <+ 1, 

- a-1, 

- 0,  and 
sracilt[t+ 1]  » 6- 1. 

Because  index  - i+1  and  (sfacfeU)  itacfe[t+l])  - (a  6-1)  < (o  6),  our  induction  hypothesis  applies 
[taking  a'  to  be  a and  6'  to  be  6-1],  yielding 

sometime  index  i,  stackili-2)  “ s, 

stack[i-\]  = 0-1,  and  sfoi:*[i]  - A (a  6-1)  at  more. 

Note  that  we  could  conclude  that  stoc/kU-l]  = o-l  because  the  induction  hypothesis,  for 
index  - i+1,  states  that  the  first  i-1  array  elements  are  unchanged. 

Because  index  - i and  (siocfe[i-l]  stackU])  ■=  (o-l  A(o  6-1))  < (o  6),  we  can  apply  the  induction 
hypothesis  once  more  [taking  o’  to  be  o-l  and  6’  to  be  A(o  6-1)],  to  obtain  that 

sometime  index  - i-1,  siocit[l:i'2]  ■ s, 

and  StackU- \]  - A (o-l  A(o  6-1))  at  more, 

which  is  the  desired  conclusion  in  this  case. 

This  completes  the  intermittent-assertion  proof  of  the  total  correctness  of  the  Ackermann 
program;  we  believe  it  reflects  our  understanding  of  the  way  the  program  works.  The 
invariant-assertion  proof  of  the  partial  correctness  is  quite  natural;  at  each  iteration  it  can  be 
shown  that 

A(jfocfe[l]  A(jiocii[2]  ...  A{stackUndex-\]  stacklindex])...))  • A{xq  yo) 
at  more  and,  when  the  program  terminates,  that 
jioc*[l]  - A(xoyo) 

On  the  other  hand,  the  known  proofs  of  the  termination  of  th  s iterative  program  using  the 
conventional  well-founded  ordering  method  are  extremely  cc  'olicated,  and  we  challenge  the 
intrepid  reader  to  construct  such  a proof. 
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3.  The  greatest  common  divisor  of  two  numbers 

In  the  previous  two  examples,  we  have  applied  the  intermittent-assertion  method  to  programs 
involving  only  one  loop.  The  following  program,  which  computes  the  greatest  common  divisor 
igcd)  of  two  positive  integers,  is  introduced  to  show  how  the  intermittent-assertion  method  is 
applied  to  a program  with  a more  complex  loop  structure. 

We  define  gcd{x  y),  where  x and  y are  positive  integers,  as  the  greatest  integer  that  divides  both 
X and  y,  that  is, 

gcd{x  y)  ■ max{u  : u|x  and  ulji}. 

For  instance,  gcrf(9  12)  - 3 and  gcd(\2  25)  - 1. 

The  program  is 

input<x  y) 

start: 

more:  if  x - 

then  finish,  output(y) 
else  reductx:  if  x > y 

then  X «-  x-;y 

goto  reducex 
reducey.  if  j > x 

then  y *-  y-x 

goto  reducey 

goto  more. 

This  program  is  motivated  by  the  following  properties  of  the  gcd: 

gcdix  y)  - y if  X = 

gcd{x  y)  - gcd(x-y  y)  if  x > y,  and 

gcdix  y)  - gcd(x  y-x)  if  y > x. 

We  would  like  to  use  the  intermittent-assertion  method  to  prove  the  total  correctness  of  the  this 
program.  The  total  correctness  can  be  expressed  as  follows: 

Theorem:  if  sometime  x ‘ a,  y • b and  a,b  > 0 at  start 

then  sometime  y = gcd{a  b)  at  finish. 

To  prove  this  theorem,  we  need  a lemma  that  describes  the  internal  behavior  of  the  program. 
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if  sometime  x • a,  y • b,  and  o > 6 > 0 at  rtducex 
or  sometime  x - a,  y - b,  and  6 > a > 0 at  reducey 
then  sometime  y - gcd{a  b)  at  finish. 


Lemma: 

To  show  that  the  lemma  implies  the  theorem,  we  assume  that 
sometime  x ~ a,  y • b,  and  a,b  > 0 at  start. 

We  must  distinguish  between  three  cases. 

Case  a - 6:  Control  passes  directly  to /inisA.  Thus 
sometime  ^ « 6 at  finish. 

But  because  in  this  case  b - gcd{a  b),  by  a given  property  of  the  gcd,  we  have  y - gcd{a  b)  at 

finish. 

Case  a > b:  Control  passes  directly  to  reducex,  so 

sometime  jc  • a,  y « 6,  and  o > > 0 at  reducex. 

The  lemma  then  asserts  that 


sometime  y « gcd{a  b)  at  finish. 

Case  b > a.  Here,  control  passes  directly  to  reducey,  so  that 
sometime  x « o,  31  = fc  and  6 > a > 0 at  reducey. 

Again,  the  lemma  yields  the  desired  result. 

The  proof  of  the  lemma  proceeds  by  induction  on  a+t.  We  suppose 


sometime  x - a,  ji  « 6,  and  a > > 0 at  reducex 
or  sometime  x ~ a,  y ‘ b,  and  A > a > 0 at  reducey. 

We  assume  inductively  that  the  lemma  holds  whenever  x - a*  and  j - b',  where  a'  b’  < a * b, 
and  show  that 

sometime  y - gcd(a  b)  at  finish. 

The  hypothesis  of  the  lemma  is  a disjunction  of  two  possibilities.  We  consider  each  possibility 
separately. 
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First,  suppose 

sometime  x - a,  j - 6,  and  a > i>  > 0 at  reducex. 
Here  control  passes  around  the  top  inner  loop,  so  that 
sometime  x - a-b  and  j i at  reducex. 


For  simplicity,  let  us  denote  a-b  and  b by  a'  and  b'.  respectively.  Note  that 


a',  b'  > 0 

a'  + b’  < a + b,  and 

gcd(a’  b’)  - gcd(a-b  b)  - gcd{a  b). 

ThI,  I...  condition  tollo.s  by  . si.en  propmy  of  ,b.  Jfd.  W.  now  dlstlneuisb  b«w«n  thr« 
cases. 

Case  o’  - b':  Control  passes  directly  lo  finish,  so 

sometime  y - gcd{a’  b')  « gcd(a  b)  at  finish. 


Casa  o'  > b'-.  Here 

sometime  x - o’,  y - b’,  and  o’  > 6'  > 0 at  reducex. 

Because  o’  + 6’  < o 4 6.  we  can  apply  the  induction  hypothesis  to  deduce  that 


sometime  y - gcd{a'  b')  » gcd(a  b)  at  finish. 

c...  »■  . o'  Conlrol  p«sof  » ,.<luc.y  .od  ..  c,n  apply  Ibo  iodoclion  hypothosls  in  th.  same 
way. 

The  second  possibility  from  the  hypothesis  of  the  lemma,  that 


sometime  x - o,  y - b.  and  6 > o > 0 at  reducey, 

dlipoirt  of  in  , .ymmeiric  mannor.  This  complote,  the  proof  of  tb.  .«.l  corrocmos.  of  <h. 

■d. 

1,  nol  difficult  to  prove  the  partial  correctnes,  of  the  above  program  osing  the  conventional 
,1"!  a"rtion  Lhod  fL  iottance.  to  prove  that  th.  program  i.  partially  corral  .ith 
fspect  to  the  input  specification 
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xo  > 0 and  jo  ^ ® 
and  output  specification 
y • gcdixo  yo) 

(where  xq  and  yQ  are  the  initial  values  of  x and  y)  we  can  use  the  same  invariant  assertion 
x,y  > 0 and  gcd{x  y)  - gcd{xQ  jiq) 
at  each  of  the  labels  more,  reducex  and  reducey. 

In  contrast,  the  termination  of  this  program  is  awkward  to  prove  by  the  conventional 
well-founded  ordering  method,  because  it  is  possible  to  pass  from  more  to  reducex,  reducex  to 
reducey,  or  from  reducey  to  more  without  changing  any  of  the  program  variables.  One  of  the 
simplest  proofs  of  the  termination  of  the  gcd  program  by  this  method  involves  taking  the 
well-founded  set  to  be  the  pairs  of  nonnegative  integers  ordered  by  the  regular  lexicographic 
ordering.  When  the  expressions  corresponding  to  the  loop  labels  are  taken  to  be 

(x+y  2)  at  more, 

if  X « y then  (x+y  I)  else  (x+y  4)  at  reducex,  and 

if  X < y then  (x+y  0)  else  (x+y  3)  at  reducey, 

it  can  be  shown  that  their  successive  values  decrease  as  control  passes  from  one  loop  label  to  the 
next  (Kau  and  Manna  [1975]).  Although  this  method  is  effective,  it  is  not  the  most  natural  in 
establishing  the  termination  of  the  gcd  program. 


16 


1 


w 


Manna  & Waldinger 

III.  Relation  to  Conventional  Proof  Techniques 

One  question  that  naturally  arises  in  presenting  a new  proof  technique  is  its  relationship  to  the 
more  conventional  methods.  In  the  previous  section  we  have  seen  examples  of 
intermittent-assertion  proofs  of  correctness  and  termination  that  are  simpler  than  any  known 
conventional  counterparts.  In  this  section  we  will  show  that  the  reverse  is  never  the  case;  in 
fact,  we  can  directly  rephrase  any  partial-correctness  proof  using  the  invariant-assertion 
method  as  an  intermittent-assertion  proof.  The  same  result  applies  to  another  standard 
partial-correctness  proof  technique,  the  "subgoal  assertion  method"  Furthermore,  we  will  show 
that  any  termination  proof  using  the  well-founded  ordering  method  can  also  be  expressed 
using  Intermittent  assertions  instead.  Therefore,  we  can  always  use  the  intermittent-assertion 
method  in  place  of  the  established  techniques. 

To  characteriie  the  conventional  techniques  precisely,  we  find  it  convenient  to  introduce  some 
new  notations,  which  are  described  more  fully  in  Manna  [1974],  Let  x be  a complete  list  of  the 
variables  of  a given  program,  and  let  Xq  denote  their  initial  value,s.  Suppose  that  we  have 
designated  a special  set  of  labels  Lq,  L, L^,  where  Lq  and  are  the  program’s  entrance 

{start)  and  exit  {finish)  respectively.  It  is  assumed  that  each  of  the  program’s  loops  passes 
through  at  least  one  of  the  designated  labels.  A path  between  two  designated  labels  is  said  to 
be  basic  if  it  does  not  pass  through  any  designated  label  (except  at  its  endpoints).  For  each 
basic  path  ot  from  label  Lj  to  Lj,  we  let  tjx)  denote  the  condition  that  most  htjid  for  controi  to 

pass  from  Lj  along  path  a to  Lj,  and  we  let  gjx)  be  the  transformation  of  the  values  of  x 
effected  in  traversing  the  path  a.  Thus,  if  x = o at  Lj,  and  condition  tja)  holds,  then  control 
will  pass  along  path  a,  reaching  Lj  with  x •=  g^(a). 

We  now  define  the  ordering  that  will  enable  us  to  mimic  conventional  partial-correctness 
proofs  by  the  intermittent-assertion  method.  Suppose  that  the  program  is  intended  to  apply  to 
inputs  satisfying  the  input  specification  P(xq).  Then  the  ordering  > induced  by  the  computation 

IS  defined  as  follows; 

(a  i)  > {b  j) 

if  control  passes  through  Lj  with  x = a and  then  eventually  passes  through  Lj  with  x - 6,  for 
some  computation  that  initially  satisfies  the  input  specification  P(xq)  and  that  ultimately 
terminates.  This  ordering  is  well-founded,  because  any  infinite  decreasing  sequence  in  the 
ordering  would  correspond  to  an  infinite  computation  of  the  program,  but  we  have  only 
defined  the  ordering  for  finite  (terminating)  computations. 

Now  let  us  sec  how  the  concepts  we  have  introduced  allow  us  to  rephrase  an 
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invariant-assertion  proof  of  the  partial  correctness  of  a program  as  an  intermittent-assertion 
proof. 


1.  Invariant-assertion  method 

Suppose  that  we  have  used  the  invariant-assertion  technique  to  prove  that  a program  is 
partially  correct  with  respect  to  some  input  specification  P(xq)  and  output  specification  R(xq  x)- 

Then  we  have  a set  of  invariant  assertions  Qo(xo  x),  Qi(xo  x) Qyj(xo  x)  corresponding  to  the 

designated  labels  Lq,  L, for  which  we  have  proved  that  for  every  Xq  and  x: 

(1)  P(xq) ->  Qo(*o  *o) 

(the  input  specification  implies  the  initial  invariant  assertion),  and 

(2)  Q(ij(xo  x)  ->  R(xq  x) 

(the  final  invariant  assertion  implies  the  output  specification), 
and,  for  each  basic  path  a from  Lj  to  Lj,  we  have  proved  the  verification  condition 

(3,j)  Q^(xo  x)  and  tj.x)  ->  Qj(xo  gj,x)) 

(the  invariant  assertion  before  the  path  implies  the  invariant  assertiott  after). 

Conditions  (1)  and  (3J  establish  that  each  Q^(xq  x)  is  indeed  an  invariant  assertion  at  Lj;  it  has 
the  property  that  each  time  we  pass  through  Lj,  Qj(xo  x)  will  be  true  for  the  current  value  of  x 

Condition  (2)  then  implies  that  if  the  program  terminates,  the  desired  output  specification  will 
be  satisfied.  Together,  these  conditions  establish  the  partial  correctness  of  our  program. 

From  the  given  proof  of  the  partial  correctness  of  the  program,  we  can  extract  an 
intermittent-assertion  proof  of  the  same  result.  The  theorem  that  expresses  the  partial 
correctness  In  the  Intermittent-assertion  notation  is  as  follows: 

Theorom:  if  sometime  x » Xq  and  P(xq)  at  start 

and  the  computation  terminates 
then  sometime  R(xq  x)  at  finish. 

This  theorem  expresses  the  partial  correctness  of  the  program,  because  it  includes  the  explicit 
assumption  that  the  particular  computation  being  considered  terminates.  Given  the  assertions 
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Q,(xo  x)  from  the  invariant-assertion  proof,  we  can  construct  the  following  lemma,  which  will 
enable  us  to  prove  the  partial-correctness  theorem: 

Lamma:  for  every  i.Osiih, 

if  sometime  x • a,  P(xq)  and  Qj(xo  a)  at 

and  the  computation  terminates 

then  sometime  R(xo  x)  at  finish.  | 

To  prove  that  the  lemma  implies  the  theorem,  assume 

sometime  x -Xq  and  P(xq)  at  start 
> and  the  computation  terminates. 

Our  invariant-assertion  proof  includes  a proof  of  (1),  that  P(xo)  ■>  Qo(*o  *o)-  That  proof  can 
be  incorporated  here,  to  yield 

sometime  x » Xq,  P(xo)  and  QqCxo  Xq)  at  Lq 

and  the  computation  terminates,  | 

(because  Lq  is  identical  to  start).  Taking  i - 0 in  the  lemma,  we  may  deduce 
sometime  R(xq  x)  at 

which  is  the  desired  conclusion  of  the  theorem. 

I 

To  prove  the  lemma,  we  suppose  | 

sometime  x - o,  P(xq)  and  Qj(xo  a)  at  Lj 
and  the  computation  terminates, 

for  some  i between  0 and  h.  The  proof  is  by  induction  on  the  ordering  >■  induced  by  the 
computation.  Thus,  we  assume  inductively  that  the  lemma  holds  whenever  x - a’  at  L^-,  where 

(a  i)  > (a*  n 

< The  proof  distinguishes  between  two  cases. 

• 1 

If  f - A,  we  have  supposed  that  ! 

I 

, sometime  x > a and  Q/^(xq  a)  at  Lyy.  i 


Incorporating  the  proof  of  (2)  and  recalling  that  Lyj  is  finish,  we  have 
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sometime  R(xq  x)  at  finish, 
which  is  the  desired  conclusion  of  the  lemma. 

On  the  other  hand,  if  0 s t < A,  control  must  follow  some  basic  path  a to  a designated  label  Ly. 
For  this  path,  tj,a)  must  be  true,  and  x - gj,a)  when  control  reaches  L^.  Because  Qj(xq  a)  and 
tj,a)  are  true,  we  can  reproduce  the  proof  of  (3„.)  to  deduce  that  Qy(xo  sJ.o))  is  true.  Thus 

sometime  x - gj.a)  and  Qy(xo  gj,a))  at  Lj. 

Because  Xq  has  been  assumed  to  satisfy  the  input  specification  P(xq),  and  because  the 
computation  has  been  assumed  to  terminate,  we  have  that 

■;  (ai)XgJfl)j), 

by  the  definition  of  the  ordering  induced  by  the  computation,  and  therefore  that 

sometime  R(xo  x)  at  finish, 

by  our  induction  hypothesis. 

This  completes  the  proof  of  the  lemma. 

We  have  thus  constructed  an  intermittent-assertion  proof  of  the  partial  correctness  of  the 
program,  assuming  that  we  were  given  an  invariant-assertion  proof.  In  the  next  section  we  will 
indicate  how  the  same  procedure  can  be  applied  to  subgoal-assertion  proofs. 

2.  Subgoal-assertion  method 

The  invariant-assertion  approach  always  relates  the  current  values  of  the  program  variables  to 
their  initial  values.  Another  approach  for  proving  partial  correctness,  the  subgoal-assertion 
method,  relates  these  variables  to  their  ultimate  values  when  the  program  halts.  We  will  first 
present  the  method,  and  then  show  as  before  that  if  we  have  proved  the  partial  correctness  of  a 
* program  using  this  method,  then  we  can  rephrase  the  same  proof  with  intermittent  assertions 

instead. 

Suppose  now  that  we  have  used  the  subgoal-assertion  method  to  prove  that  a program  is 
I partially  correct  with  respect  to  some  input  specification  P(xo)  and  output  specification  R(xq  x). 

Then  we  have  a set  of  subgoal  assertions  Q^(x  Xf^),  Q[(x  x^) Q^(x  Xf^)  corresponding  to  the 
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designated  labels  L©.  L| with  the  intuitive  meaning  that  ojtx  x^)  must  hold  for  the 

current  value  of  x as  control  passes  through  and  the  ultimate  value  x^  of  x when  the 
computation  halts.  For  these  assertions  we  have  proved  that  for  every  Xq,  x and  Xyj; 

the  final  subgoal  assertion  always  holds  for  the  final  value  of  x),  and 
(2*)  P(xq)  and  Q^(xo  x^)  ->  R(X(,  x^) 

’ (the  input  specification  and  the  initial  subgoal  assertion  imply  the  output 

specification), 

' and,  for  each  basic  path  a from  to  Lj,  we  have  proved  the  verification  condition 

Xf^)  and  t^{x)  =>  Qj(x  x^) 

r 

(the  subgoal  assertion  after  the  path  implies  the  subgoal  assertion  before). 

The  subgoal-assertion  method  works  backward  through  the  computation,  whereas  the 
invariant-assertion  method  works  forward.  Condition  (!’')  implies  that  the  final  subgoal 

assertion  always  holds.  Conditions  (3^)  say  that  if  the  appropriate  subgoal  assertion  holds 

when  control  reaches  the  end  of  a path,  then  the  corresponding  subgoal  assertion  holds  when 

, ^ 

control  is  at  the  beginning  of  the  path.  If  the  program  does  terminate,  conditions  (T)  and  (S^,) 
imply  that  each  Q*(x  x^)  is  indeed  a subgoal  assertion  at  Lj;  it  has  the  property  that  each  time 

- we  pass  through  Lj,  Q,^(x  x^)  will  be  true  for  the  current  value  of  the  program’s  variables,  x, 

and  its  ultimate  value,  x^.  Condition  (2’^)  then  implies  that  if  the  program  terminates,  the 
desired  output  specification  will  be  satisfied.  Together,  these  conditions  imply  the  partial 
* correctness  of  the  given  program. 

To  contrast  the  invariant-assertion  and  the  subgoal-assertion  method,  let  us  consider  a simple 
program  to  compute  the  gcd. 
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input(x  y) 

start: 

more:  If  x-0 

then  finish:  output()i) 
else  (x  y)  *-  {rem(y  x)  x) 
goto  more. 

Here,  rem{y  x)  is  the  result  of  dividing  y by  x.  The  notation  (x  y)  *-  (rem(y  x)  x)  means  that  the 
values  of  x and  y are  simultaneously  assigned  to  be  rem{y  x)  and  x,  respectively. 

To  show  that  this  program  is  partially  correct  with  respect  to  the  Input  specification 

P(jfo  yo) : > 0 and  yo  > 0. 

and  the  output  specification 

R<*o  yoy)  -y  >o). 

we  can  employ  the  invariant-assertions 

^start^^o  yo’^y)  ' P(*o  >o) : *o  > 0 and  jiq  > 0 
^more^^o  3»o  * Ji) : * ^ 0 and  y > 0 and  gcd{x  y)  • gcd(xQ  yo) 

^finish^’‘o  yo  * y)  * yo;  y) ; y - ?cd(^o  yo)  • 

On  the  other  hand,  to  prove  the  same  result  by  the  subgoal- assertion  method,  we  can  use  the 
subgoal  assertions 

^*start(^  y y^) : X 2 0 and  y > 0 ->  yyj  - gcd(x  y) 
y yyy) : 2 0 and  y > 0 ->  y^i  - gcd(x  y) 

^^finish^^  y y^)  • y ■ y^  • 

The  reader  may  observe  that  the  invariant  assertions  relate  the  program  variables  x and  y with 
their  initial  values  Xq  and  yo  and  the  subgoal  assertions  relate  the  programs  variables  with  the 
ultimate  final  value  of  y,  y^. 
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Let  us  return  to  the  general  case.  From  a given  subgoal-assertion  proof  of  the  partial 
correctness  of  a program,  we  can  mechanically  paraphrase  the  argument  as  an 
intermittent- assertion  proof,  just  as  we  did  for  the  invariant-assertion  method. 

The  theorem  that  expresses  the  partial  correctness  of  the  program  is  again: 

Theorem:  if  sometime  x • Xq  and  P(xq)  at  start 

and  the  computation  terminates 
then  sometime  R(xo  x)  at  finish. 

The  lemma  that  we  will  use  in  proving  the  theorem,  however,  is  different  from  the  lemma  in 
the  invariant-assertion  case: 

Lemma:  for  every  i,0<i<h 

if  sometime  x = a and  P(xq)  at  Lj 

and  the  computation  terminates 
then  sometime  Q,(a  x)  at  finish  . 


To  construct  a proof  that  the  lemma  implies  the  theorem,  we  take  i - 0 and  extract  the 
justification  for  Condition  (2^^)  from  the  given  subgoal  assertion  proof. 

The  proof  of  the  lemma  is  constructed  in  a way  analogous  to  the  earlier  invariant-assertion 
case.  Induction  is  again  based  on  the  ordering  > induced  by  the  computation.  When  f - A we 

use  the  proof  of  Condition  (1*),  and  if  0 < i < /i  we  use  the  inductive  hypothesis  and  the  proof 
of  (3*). 

We  have  remarked  that  the  invariant-assertion  method  relates  the  current  values  of  the 
program  variables  to  their  initial  values,  whereas  the  subgoal-assertion  method  relates  the 
current  values  to  their  final  values.  The  intermittent-assertion  technique  can  imitate  both  of 
these  methods  because  it  can  relate  the  values  of  the  program  variables  at  any  two  stages  In  the 
computation. 


3.  Well-founded  ordering  method 

The  above  constructions  enabled  us  to  mirror  conventional  partial-correctness  proofs  using 
intermittent  assertions.  In  fact,  we  can  also  use  the  intermittent-assertion  method  to  express 
conventional  teimination  proofs  that  use  the  well-founded  ordering  approach. 
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Suppose  that  we  have  used  the  well-founded  ordering  approach  to  prove  the  termination  of  a 
given  program  with  respect  to  some  input  specification  P(xq).  Then  we  have  found  a 

well-founded  ordering  > over  a set  W,  and  for  some  set  of  designated  labels  Lq.  L| L^.  we 

have  found  a set  of  invariant  assertions  QqUo  ■•••  OyjUo  *)  of  expressions 

EqUo  *).  E 1(5^0  *) f'o'"  proved  the  following  conditions  for  every  xq 

and  X: 

(1)  P(xq) ->  Qo(*o  *0) 

(the  input  specification  implies  the  initial  invariant  assertion). 

(2  J Qf(xo  x)  and  tj,x)  •=>  Qj(xo  gjx))  for  every  basic  path  a from  to  Lj 

(the  invariant  assertion  before  the  path  implies  the  invariant  assertion  after). 

(3^)  Qj(xo  x)  ->  Ej(xo  x)  e W for  each  label  Lj 

(the  value  of  the  expression  belongs  ^o  W when  control  passes  through  Lj).  and 
(4^)  Qj(xo  x)  and  tjx)  »>  Ej(xo  x)  > E^Xq  gj,x)) 
for  every  basic  path  a from  Lj  to  Lj 

(as  control  passes  from  Lj  to  Lj.  the  value  of  the  corresponding  expression  is  reduced). 

The  above  conditions  establish  the  termination  of  the  program.  Conditions  (1)  and  (2«.)  ensure 
that  each  Qjfxp  x)  is  indeed  an  invariant  assertion  at  Lj:  whenever  control  passes  through  Lj. 
assertion  Qj(xo  x)  is  true  for  the  current  value  of  x.  Condition  (3)  then  tells  us  that  each  time 
control  passes  through  Lj.  the  value  of  the  expression  Ej(xo  x)  belongs  to  W. 

Now.  suppose  that  Conditions  (l)-(4)  are  satisfied  but  the  program  does  not  terminate  for  some 
input  Xq  satisfying  the  input  specification  P(xq).  Control  then  passes  through  an  infinite 
sequence  of  designated  labels;  the  values  of  the  corresponding  expressions  Ej(xo  x)  constitute  an 
infinite  sequence  of  elements  of  W.  Condition  (4)  then  implies  that  this  is  a decreasing 
sequence  under  the  well-founded  ordering,  thereby  contradicting  the  definition  of  a 
well-founded  set.  Conditions  (l)-(4)  therefore  suffice  to  establish  the  termination  of  the  given 
I program. 

It  is  our  task  to  transform  a proof  by  the  above  method  into  an  intermittent-assertion  proof  of 
the  termination  of  the  program.  The  following  theorem  expresses  the  desired  property 


24 


Manna  & Waldinger 


Theorem:  if  sometime  x ‘ Xq  and  P(jco)  at  start 

then  sometime  dit  finish  . 

Recall  that  "sometime  at  finish”  expresses  the  termination  of  the  program  in  the 
intermittent-assertion  notation.  We  can  prove  this  theorem  by  establishing  the  following 
lemma 

Lemma:  for  every  i,  0 < i < h 

if  sometime  x = a and  Uj(xQ  a)  at  Lj 

then  sometime  at  finish  . 

To  construct  a proof  that  the  lemma  implies  the  theorem,  we  take  t to  be  0 in  the  lemma  and 
incorporate  the  given  proof  of  Condition  (1)  into  the  intermittent-assertion  proof  of  the 
theorem. 

To  prove  the  lemma  we  use  induction  over  the  same  well-founded  ordering  > that  we 
employed  in  the  given  termination  proof.  Suppose  that 

sometime  x • a and  Qj(xq  a)  at  Lj 

for  some  designated  label  Lj.  We  assume  inductively  that  the  lemma  holds  whenever  x - o’  and 
Qj.<Xo  o')  at  Lj.,  where  Ej(xo  a)  > Ej.(xo  o’).  If  j « termination  has  already  occurred. 

Otherwise,  control  must  follow  some  path  a from  Lj  to  Lj,  i.e.  t,^(o)  is  true.  Thus 

sometime  x - g«(o)  at  Lj  . 

Because  both  Qj(xo  a)  and  t^(a)  hold,  the  proof  of  Condition  (2)  enables  us  to  deduce 
Q^(xo  goS(t))-  The  proof  of  Condition  (3)  can  be  incorporated  to  yield 

Ej(xo  o)  € W and  ZjixQ  gja))  e W , 

because  both  Qj(xQ  a)  and  Qj(xo  gja))  are  true.  By  Condition  (4)  then,  we  have 
Ej(xo  a)  > Ej<Xo  gJa))  . 

We  can  now  use  the  induction  hypothesis,  with  i'  - j and  a'  - g^(a),  yielding  the  desired 
conclusion 

sometime  at  finish. 


I 
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In  this  section  we  have  shown  how  proofs  by  the  conventional  methods  for  establishing  partial 
correctness  and  termination  of  programs  may  be  translated  into  intermittent-assertion  proofs  of 
the  same  results.  The  translation  process  is  purely  mechanical  and  does  not  increase  the 
complexity  of  the  proof.  For  this  reason  we  can  conclude  that  in  employing  the 
intermittent-assertion  method  we  have  not  lost  any  of  the  power  of  the  existing  methods. 

Is  it  possible  that  a similar  translation  could  be  performed  in  the  other  direction?  For 
example,  couldn't  we  devise  a procedure  for  translating  any  partial-correctness  proof  by  the 
intermittent-assertion  method  into  a conventional  invariant-assertion  proof  of  comparable 
complexity?  We  believe  not.  We  have  seen  no  invariant-assertion  proof  for  the  tips  program 
that  does  not  require  consideration  of  the  sum  of  the  tips  of  all  the  elements  in  the  stack  We 
have  seen  no  termination  proof  of  the  iterative  Ackermann  program  by  the  conventional 
method  that  employs  such  a simple  well-founded  ordering  as  the  Intermittent-assertion  proof. 
Without  formulating  a precise  notion  of  the  "complexity"  of  a proof,  we  cannot  argue  rigorously 
that  the  Intermittent-assetion  method  is  strictly  more  powerful  than  the  conventional  methods, 
but  our  experience  and  our  intuition  lead  us  to  maintain  that  this  is  so. 
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IV.  Application*.  Validity  of  Transformations  That 
Eliminate  Recursion 

In  discussing  the  tips  program  (Section  11-1)  we  remarked  that  part  of  the  difficulty  in  proving, 
the  correctness  of  the  program  arose  because  the  program  was  developed  by  introducing  a stack 
to  remove  the  recursion  from  the  original  definition.  It  has  been  argued  (eg.  Knuth  [1974], 
Burstall  and  Darlington  [1975],  Gerhart  [1975])  that,  in  such  cases,  we  should  first  prove  the 
correctness  of  the  original  recursive  program,  and  then  develop  the  more  efficient  iterative 
version  by  applying  one  or  more  transformations  to  the  recursive  one.  These  transformations 
are  intended  to  increase  the  efficiency  of  the  program  (at  the  possible  expense  of  clarity)  while 
still  maintaining  its  correctness. 

If  we  were  applying  this  methodology  in  producing  our  tips  program,  therefore,  we  would  first 
prove  the  correctness  of  the  recursive  version  (a  trivial  task,  since  that  version  is  completely 
transparent);  we  would  then  develop  the  iterative  tips  program  by  systematically  transforming 
the  recursive  program  --  removing  its  recursion  and  introducing  a stack  instead. 
Consequently,  the  proof  we  presented  in  Section  11  would  be  completely  unnecessary,  since  the 
program  would  have  been  produced  by  applying  to  a correct  recursive  program  a sequence  of 
transformations  that  are  guaranteed  not  to  change  that  program’s  specifications. 

To  realize  such  a plan,  however,  we  must  be  certain  that  the  transformations  we  use  are  valid; 
I.e.  that  they  actually  do  produce  a program  equivalent  to  the  original  one.  Given  the  same 
input,  the  two  programs  must  be  guaranteed  to  return  the  same  output.  In  other  words,  we 
must  be  certain  that  bugs  cannot  be  introduced  during  the  transformation  process. 

In  this  section  we  will  illustrate  how  intermittent  assertions  can  be  employed  to  establish  the 
validity  of  such  transformations.  VVe  will  present  the  intermittent-assertion  proof  of  the 
validity  of  a transformation  that  removes  a recursion  by  introducing  a stack.  This 
transformation  could  have  been  used  to  produce  our  iterative  tips  program  from  its  recursive 
definition. 

Suppose  we  have  a recursive  program  of  form 

F(x)<-  If^(x) 

then  f{x) 

elseA(F(g|(x))  F(gz(x))). 

(For  simplicity,  let  us  assume  that  p.f,  g;,  g2  and  h are  defined  for  all  arguments).  If  we  know 
that 
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(1)  h{u  h{v  w))  - MA(u  y)  lu)  for  every  u.  y and  w 

(A  is  associative),  and 

(2)  A(e  u)  - u for  every  u 

(«  is  a left  identity  of  A), 

then  we  can  transform  our  program  into  an  equivalent  iterative  program,  of  form 
input(x) 

start:  stack  «-  (*) 
z *-  e 

more.  If  stack  = () 

then  finish:  output(z) 
else  if  p(head(stack)) 

then  z «-  h{z  f{head{stack))) 
stack  «-  tailistack) 
goto  more 

else  first  ♦-  head(stack) 

stack  *-  giifirst)  • Igzifirst)  • tailistack)] 
goto  more 

The  validity  of  this  transformation  is  expressed  by  the  following  two  theorems. 

Theorem  1:  if  sometime  x = a at  start 
and  F(a)  is  defined 
then  sometime  z «=  F(a)  at  finish. 

and 

Theorem  2:  if  sometime  x = a at  start 

and  the  iterative  computation  terminates 
then  F((i)  is  defined. 

Theorem  I contains  the  condition  that  F(a)  is  defined  (that  the  recursive  computation  of  F with 
input  a will  terminate).  This  condition  is  necessary  for,  otherwise,  the  iterative  program  will 
not  terminate,  and  therefore  control  will  never  reach  finish  at  all.  If  we  succeed  In  proving 
Theoitm  I,  we  will  have  established  that  the  iterative  program  terminates  whenever  the 
original  recursive  program  does,  and  returns  the  same  output;  in  other  words,  the  iterative 
program  computes  an  extension  of  the  function  computed  by  the  recursive  program,  rather  than 
the  exact  same  function.  Theorem  2 shows  that  the  recursive  program  halts  whenever  the 
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Iterative  program  does.  Together,  Theorems  1 and  2 imply  that  the  recursive  and  iterative 
programs  are  equivalent  The  proof  of  Theorem  1 is  analogous  to  the  proof  of  the  total 
correctness  of  the  tips  program,  it  can  be  proved  using  the  following  lemma. 

Lemma  1:  if  sometime  z = r and  stack  - a-s  at  more 

and  F(a)  is  defined  jj 

then  sometime  z = A(c  F(a))  and  stack  ■ s at  more. 

t 

To  show  that  the  lemma  implies  Theorem  I,  assume  (I 

k 

sometime  x - a at  start 

and  that  F{a)  is  defined.  Then  immediately  control  passes  to  more,  so  that 

sometime  z » e and  stack  = (c)  •=  a-()  at  more.  1 

By  the  lemma  [taking  c to  be  e and  s to  be  ()],  we  have 
sometime  z « h{e  F(a))  and  stack  ■=  ()  at  more. 

But  h{e  F(a))  - F(a)  by  Property  (2).  that  e is  a left  identity  of  h.  Because  stack  is  (),  control 

passes  to  finish,  and  we  deduce  I 

sometime  z • F(a)  at  finish, 

which  is  the  desired  conclusion  of  the  theorem. 

To  prove  the  lemma,  suppose 

sometime  z « c and  stack  « a-s  at  rnore, 

where  F(a)  is  defined.  The  proof  employs  complete  induction  on  a,  over  the  ordering  > induced 

by  the  recursive  computation.  This  is  the  ordering  such  that  j 

I 

d>  d , 

where  F(rf’)  is  called  recursively  during  the  computation  of  F(rf),  and  where  the  computation  of 
F(<f)  terminates.  In  particular,  if  F(<f)  is  defined,  d > g\{d)  and  d > gi^d).  This  ordering  > is 
well-founded,  because  an  infinite  decreasing  sequence  in  the  ordering  would  correspond  to  an 
infinite,  nonterminating  computation  of  the  recursive  program,  but  the  ordering  has  only  been 
defined  for  finite  (terminating)  computations. 
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We  will  assume  inductively  that  the  lemma  holds  whenever  z ■ c'  and  stack  « a'- s’,  where  a > a' 
in  the  ordering  > induced  by  the  recursive  computation,  and  show  chat  it  holds  when  z - c and 
slack  - a>i  as  well.  We  distinguish  between  two  cases,  depending  on  the  truth  of  p{a). 

Casa  p(a)  Is  truei  Then  F{a)  ■ f[a),  by  the  recursive  definition  of  F.  Because  a is  at  the 

head  of  the  stack,  the  stack  is  not  empty  and  p{head{stack))  is  true;  therefore  we  follow  the  then 
branch  of  the  program,  so  that 

sometime  z - h{c  f{a))  and  stack  « j at  more. 

But  J{a)  » F(a),  so  we  have 

sometime  z - fi{c  F(a))  and  stack  - j at  more, 

which  is  the  desired  conclusion. 

Case  p{a)  Is  false:  Here  F(o)  • h{¥{g^{a))  ¥{§2^)),  by  the  recursive  definition  of  F.  Note 

that  F(o)  is  defined;  therefore  ¥(gi{a))  and  F(^2(o))  are  also  defined.  Because  stack  is  not  empty 

and  p{head(stack))  is  false,  control  follows  the  else  branch  of  the  loop  body,  so  that 

sometime  z - c and  stack  « |'i(a)*[^2(a)-i]  at  more. 

Recall  that  a > g]{a),  because  we  have  assumed  that  F(a)  is  defined;  therefore  we  can  apply  the 
induction  hypothesis  [taking  c*  to  be  c,  a'  to  be  |•|(a),  and  s'  to  be  ^2(0)- j]  to  obtain 

sometime  z - fi{c  ¥(g,(a)))  and  stack  « g2W’S  at  more. 

Because  a > ^2(0),  we  can  apply  the  induction  hypothesis  a second  time  [taking  c’  to  be 
ftU  F(g|(a))),  a'  to  be  ^2(0),  and  s'  - s].  We  derive 

sometime  z - h(h(c  F(^|(a)))  ¥{g2{a)))  and  stack  - j at  more. 

By  the  associativity  of  ft  (Property  (I)),  and  the  recursive  definition  of  F,  we  have 

me  ¥(gt(a)))  ¥(g2(a)))  - He  H¥(gtia))  Figiia))))  - h(c  F(a)). 

Therefore  we  can  conclude 

sometime  z - He  F(o))  and  stack  - s at  more, 

completing  the  proof  of  the  lemma.  j 

! 

i 
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So  far  we  have  only  established  Theorem  1,  that  the  function  computed  by  the  iterative 
program  is  an  extension  of  the  function  computed  by  the  recursive  program.  We  still  need  to 
prove  Theorem  2,  that  if  the  iterative  program  terminates,  then  the  recursive  program  also 
terminates.  This  proof  depends  on  another  lemma. 

Lemma  2:  if  sometime  z •=  c and  stack  ‘ a-s  at  more 

and  the  iterative  computation  terminates 
then  F(a)  is  defined. 

Lemma  2 implies  Theorem  2 directly,  because  the  stack  is  initialized  to  (o)  - o-(). 

The  proof  of  the  lemma  employs  induction  over  the  ordering  > induced  by  the  iterative 
computation.  In  this  ordering,  (C|  i))  > (c2  Si),  where  Cj  and  Cj  are  successive  values  of  the' 
variable  z at  more,  and  S|  and  jg  are  successive  values  of  the  stack  at  more,  during  a 
terminating  computation  of  the  iterative  program. 

To  prove  the  lemma,  suppose  that 

sometime  z - c and  stack  « a-s  at  more, 

and  that  the  iterative  computation  terminates.  We  assume  inductively  that  the  lemma  holds 
whenever  z = c'  and  stack  - a’- s'  where  (c  a-j)  > (c'  a** s')  in  the  ordering  induced  by  the 
computation,  and  show  that  F(a)  is  then  defined. 

We  distinguish  between  two  cases. 

Case  p{a)  Is  true:  Here  F(o)  = f{a)  by  the  recursive  program,  and  therefore  F(a)  is  defined. 

Case  p{a)  Is  false:  Here  F(a)  « h{^{g^{a))  Fig^M)).  by  the  recursive  program.  Since  stack  is 
not  empty  and  p(head{stack))  is  false,  the  iterative  computation  follows  the  else  branch,  so  that 

sometime  z « c and  stack  •=  g|(o)-[g2{a)* s)  at  more. 

Because  the  computation  was  assumed  to  terminate,  we  have  that 

(c  a-j)  >■  (c  g,(a)-[g2(a)-s]), 

and  therefore,  by  our  induction  hypothesis,  that 

F(g|(o))  is  defined. 

By  Lemma  1,  we  have  that 
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sometime  z - A(c  F(^|(o)))  and  stack  - giW-s  at  more. 

Again,  by  the  induction  hypothesis,  we  have  that  F(fj(a))  is  defined.  Because  both  F(gi(a))  and 
F(g2(a»  are  defined,  and  F(o)  - A(F(g,(a))  Figgia))).  we  can  conclude  that  F(a)  is  defined 

We  have  just  shown  the  validity  of  the  transformation  that  was  actually  used  to  produce  the 
iterative  tips  program  in  Section  II- 1.  As  in  that  section,  we  could  have  used  the  conventional 
invariant-assertion  technique  in  the  proof  of  Theorem  1.  However,  although  we  could  employ 

the  standard  ^ notation  to  denote  repeated  applications  of  the  ♦ operation  in  the  tips 

invariant  assertion,  we  would  have  had  to  invent  a new  notation  to  denote  repeated  application 
of  the  function  h in  the  invariant  assertion  for  the  iterative  program  here. 


In  the  next  section  we  will  discuss  an  entirely  different  application  of  the  intermittent-assertion 
method. 
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V.  Application:  Correctness  of  Continuously  Operating 

Programs 

Conventionally,  in  proving  the  correctness  of  a program,  we  describe  its  expected  behavior  in 
terms  of  an  output  specification,  which  is  intended  to  hold  when  the  program  terminates.  Some 
programs,  such  as  operating  systems,  airline-reservation  systems  and  management  information 
systems,  however,  are  never  expected  to  terminate.  Such  programs  will  be  said  to  be 
continuously  operating  (see,  for  example,  Francez  and  Pneuli  [1977]).  The  correctness  of 
continuously  operating  programs  therefore  cannot  be  expressed  by  output  specifications,  but 
rather  by  their  intended  behavior  while  running. 

Furthermore,  we  conventionally  describe  the  internal  workings  of  a program  with  an  invariant 
assertion,  which  is  intended  to  hold  every  time  control  passes  through  the  corresponding  point. 
The  description  of  the  workings  of  a continuously  operating  program,  however,  often  involves 
a relationship  that  some  event  A is  inevitably  followed  by  some  other  event  B.  Such  a 
relationship  connects  two  different  states  of  the  program  and,  generally,  cannot  be  phrased  as 
an  invariant  assertion. 

In  other  words,  the  standard  tools  for  proving  the  correctness  of  terminating  programs, 
input-output  specifications  and  invariant  assertions,  are  not  appropriate  for  continuously 
operating  programs.  The  intermittent-assertion  method  provides  a natural  complement  here, 
both  as  a means  for  specifying  the  internal  and  external  behavior  of  these  programs,  and  as  a 
technique  for  proving  the  specifications  correct. 

We  will  use  one  very  simple  example,  an  imaginary  sequential  operating  system,  to  illustrate 
this  point: 

more:  remtiirequests) 

setup.  It  requests  » () 
then  goto  more 

else  (job  requests)  *-  (head{requests)  tail(requests)) 
execute:  process<job) 
goto  setup. 

At  each  iteration  this  program  reads  a list,  requests,  of  jobs  to  be  processed.  If  requests  is 
empty,  the  program  will  read  a new  list,  and  will  repeat  this  operation  indefinitely  until  a 
nonempty  request  list  is  read.  The  system  will  then  process  the  jobs  one  by  one;  when  they  are 
all  processed,  the  system  will  again  attempt  to  read  a request  list. 

What  we  wish  to  establish  about  this  program  is  that  if  a job  j is  read  into  the  request  list,  it 
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will  eventually  be  processed  Although  this  claim  is  not  representable  as  an  input-output 
specification,  it  is  directly  expressed  in  the  following 

Theorem:  if  sometime  j € requests  at  setup 

then  sometime  joi>  » j at  execute. 

Here,  j € requests  means  that;  belongs  to  the  list  of  current  requests. 

To  prove  the  theorem,  assume  that 

sometime;  e requests  at  setup. 

Then  requests  is  not  empty  and  is  of  the  form 

a;  a. 

where  a and  are  the  sublists  of  jobs  occuring  before  and  after;,  respectively,  in  the  request 
list.  Our  proof  will  be  by  complete  induction  on  the  structure  of  a:  we  assume  the  theorem 
holds  whenever  requests  is  of  form 

a’;  0. 

for  any  sublist  a’  of  a.  The  proof  distinguishes  between  two  cases 

Case  a - ():  Then  j = head{requests).  Since  requests  * {),  we  reach  execute  with 

job  - head(requests)  - j,  satisfying  the  conclusion  of  the  theorem. 

Case  a e ():  Then  a - head{<x)<  taU{a).  Because  again  requests  e (),  we  process  job  - head{a), 
and  return  to  setup  with  requests  reset  to  tail(a)j(i.  Since  tail{a)  is  a sublist  of  a,  we  can 
conclude  from  our  inductive  assumption  that 

sometime  ;o6  - ; at  execute, 

as  we  had  hoped 

This  program  is  very  simple,  but  it  may  serve  to  suggest  how  the  intermittent-assertion  method 
can  be  applied  to  the  more  realistic  examples. 

Note  that  when  we  make  a statement  of  form 

if  sometime  P at  L| 
then  sometime  Q at  Lj, 
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we  do  not  necessarily  imply  that  condition  Q is  satisfied  at  Lj  after  condition  P is  satisfied  at 
L|,  in  fact,  condition  Q could  hold  before  condition  P.  Thus,  in  the  above  example,  we  should 
be  perlectly  content  if  some  especially  fast  operating  system  were  able  to  process  the  job  before 
It  was  submitted  In  fact,  the  proof  techniques  that  we  have  used  in  this  paper  will  only  allow 
us  to  prove  an  implication  of  the  above  form  if  Q holds  at  Lj  after  P holds  at  L|.  Additional 
techniques  would  be  necessary  if  we  wanted  to  prove  such  an  implication  if  Q actually  holds 
before  P 

T hroughout  this  paper,  in  proving  an  implication  of  the  above  form,  we  have  tacitly  assumed 
that  conditions  P and  Q are  satisfied  at  different  stages  of  the  iame  computation.  It  is  possible 
to  relax  this  assumption  and  relate  different  computations  by  extending  our  notation 
appropriately  We  believe  one  could  then  apply  the  intermittent-assertion  method  to  prove 
properties  of  nondeterministic  and  concurrent  programs  as  well. 
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VI.  Conclusions 

The  intermittent-assertion  method  not  only  serves  as  a valuable  tool,  but  also  provides  a 
general  framework  encompassing  a wide  variety  of  techniques  for  the  logical  analysis  of 
programs.  Diverse  methods  for  establishing  partial  correctness,  termination,  and  equivalence  fit 
easily  within  this  framework.  Furthermore,  some  proofs,  naturally  expressed  with  intermittent 
assertions,  are  not  as  easily  conveyed  by  the  more  conventional  methcxls 

It  has  yet  to  be  determined  which  phases  of  the  intermittent-assertion  proof  process  will  be 
accessible  to  implementation  in  verification  systems.  If  the  lemmas  and  the  well-founded 
orderings  for  the  induction  are  provided  by  the  programmer,  to  construct  the  remainder  of  the 
proof  appears  to  be  fairly  mechanical.  On  the  other  hand,  to  find  the  appropriate  lemmas  and 
the  corresponding  orderings  may  require  some  ingenuity.  We  believe  that  the 
intermittent-assertion  method  will  have  practical  impact  because  it  allows  us  to  incorporate  our 
intuitive  understanding  about  the  way  a program  works  directly  into  a proof  of  its  correctness. 
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